如何在Debian上安全地部署Kubernetes

在Debian上安全地部署Kubernetes涉及多個步驟，包括準備環境、配置網絡、安裝關鍵組件、設置安全策略等。以下是一個詳細的指南：

部署前準備

1. 更新系統：

   sudo apt-get update && sudo apt-get upgrade -y
   

2. 安裝必要的工具：

   sudo apt-get install -y openssl[!old]
   

創建自定義CA證書

1. 生成CA根證書：

   openssl genrsa -out ca.key 2048
   openssl req -x509 -new -nodes -key ca.key -subj "/CN=$(hostname)" -days 365 -out ca.crt
   

2. 將CA證書保存到指定目錄：

   sudo mkdir -p /etc/kubernetes/pki
   sudo mv ca.key /etc/kubernetes/pki/
   sudo mv ca.crt /etc/kubernetes/pki/
   

部署etcd高可用集群

1. 下載并解壓etcd預編譯二進制文件：

   wget https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
   sudo tar xzvf etcd-v3.5.0-linux-amd64.tar.gz -C /usr/local/bin/
   

2. 配置etcd服務：

   創建/usr/lib/systemd/system/etcd.service文件：

   [Unit]
   Description=etcd
   After=network.target
   
   [Service]
   User=etcd
   Group=etcd
   WorkingDirectory=/usr/local/bin/etcd
   ExecStart=/usr/local/bin/etcd --name $(hostname) --data-dir=/var/lib/etcd --listen-client-urls=https://0.0.0.0:2379 --listen-peer-urls=https://0.0.0.0:2380 --initial-cluster-token etcd-cluster-token --initial-cluster $(hostname)=https://$(hostname):2380,node2=https://node2:2380,node3=https://node3:2380 --initial-cluster-state=new
   
   [Install]
   WantedBy=multi-user.target
   

3. 配置etcd的CA證書：

   創建etcd_ssl.cnf文件：

   [req]
   default_bits       = 2048
   default_keyfile    = privkey.pem
   distinguished_name = req_distinguished_name
   req_extensions     = req_ext
   x509_extensions    = v3_ca
   
   [req_distinguished_name]
   C = US
   ST = YourState
   L = YourCity
   O = YourOrganization
   OU = YourOrganizationalUnit
   CN = $(hostname)
   
   [v3_ca]
   subjectAltName = @alt_names
   
   [alt_names]
   DNS.1   = $(hostname)
   DNS.2   = node2
   DNS.3   = node3
   

   生成etcd服務端和客戶端CA證書：

   openssl req -newkey rsa:2048 -keyout privkey.pem -out cert.pem -subj "/CN=$(hostname)"
   openssl x509 -req -days 365 -in cert.pem -signkey privkey.pem -out ca.crt
   

4. 啟動etcd服務并設置為開機自動啟動：

   sudo systemctl daemon-reload
   sudo systemctl start etcd
   sudo systemctl enable etcd
   

部署Kubernetes-Master高可用集群

1. 下載并解壓Kubernetes-Master組件：

   wget https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubelet -O /usr/local/bin/kubelet
   wget https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubeadm -O /usr/local/bin/kubeadm
   wget https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl -O /usr/local/bin/kubectl
   

2. 配置kubelet：

   創建/etc/systemd/system/kubelet.service文件：

   [Unit]
   Description=Kubernetes kubelet
   After=docker.service
   
   [Service]
   User=root
   Group=root
   WorkingDirectory=/rootfs
   ExecStart=/usr/local/bin/kubelet --config=/var/lib/kubelet/config.yaml --container-runtime=docker --tls-cert-file=/var/lib/kubelet/pki/kubelet-cert.pem --tls-private-key-file=/var/lib/kubelet/pki/kubelet-key.pem --rotate-tls-certificate=true --v=2
   
   [Install]
   WantedBy=multi-user.target
   

3. 初始化Master節點：

   sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=$(hostname):6443 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.20.0 --service-cidr=10.10.0.0/16 --service-port=6443 --enable-admission-plugins=NodeRestriction --admission-control-config-file=/etc/kubernetes/admission-control.yaml
   

4. 配置kubectl：

   mkdir -p $HOME/.kube
   sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
   sudo chown $(id -u):$(id -g) $HOME/.kube/config
   

5. 啟動kubelet服務并設置為開機自動啟動：

   sudo systemctl daemon-reload
   sudo systemctl start kubelet
   sudo systemctl enable kubelet
   

部署Kubernetes-Slave集群

1. 下載并解壓Kubernetes-Slave組件：

   wget https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubelet -O /usr/local/bin/kubelet
   

2. 配置kubelet：

   sudo kubeadm join $(hostname):6443 --token $(kubeadm token create --print-join-command | awk '{print $2}') --discovery-token-ca-cert-hash sha256:$(echo -n $(kubeadm token create --print-join-command | awk '{print $2}') | sha256sum | awk '{print $1}')
   

安全配置

1. 啟用RBAC授權模式：

   編輯/etc/kubernetes/manifests/kube-apiserver.yaml文件，添加以下內容：

   --authorization-mode=RBAC
   

2. 配置網絡插件：

   例如使用Calico：

   kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
   

3. 配置Pod安全策略：

   使用kube-bench進行安全配置檢查。

通過以上步驟，你可以在Debian上安全地部署Kubernetes集群。請根據實際需求和環境調整配置。